Active directory and linux nslcd binding without extending the AD schema

5.5k views Asked by At

I have a requirement of binding linux clients to Windows Server 2012 Active Directory. I have a test environment where I successfully did that both with samba-winbind-kerberos, and with nslcd, using a user to authenticate. However, when using samba-winbind-kerberos, I was able to achieve this without extending the AD schema to include UNIX attributes (UID/GID, Home directory, shell), because smb.conf have an option to idmap, specifying a starting range

idmap config *:range = 11000-20000

and this will take care of unix mapping of UID/GID of AD users.

If I do not enable UNIX attributes in AD, I will get an error in nslcd debug log, that says

uidNumber: missing

Is there any way to use the same feature in nslcd/libnss_ldap, so that I do not have to extend the AD schema on the Windows server 2012? I do not prefer to use samba on a production environment because of its remote code execution vulnerability.

2

There are 2 answers

0
init On BEST ANSWER

This is not possible right now. There is no id mapping available for nslcd according to their documentation, and this requires your AD schema to be extended to have unix attributes.

3
U880D On

Using CentOS Linux release 7.4.1708 (Core) with nslcd version 0.8.13 against Windows 2016 AD without any schema extension, I was able to configure this and get it working properly today.

I've followed mainly the Serverfault article "LDAP authentication on CentOS 7" and had to use in /etc/nslcd.conf the section Alternative mappings for Active Directory and to replace the SIDs in the objectSid mappings with the value for your domain.

To "Get SID by its objectSid using ldapsearch" I've used the linked script.

Other mapping were set to

filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
map    passwd uid           sAMAccountName
map    passwd uidNumber     objectSid:<yourValue>
map    passwd gidNumber     primaryGroupID
map    passwd homeDirectory "/home/$sAMAccountName"
map    passwd gecos         displayName
map    passwd loginShell    "/bin/bash"
map     group gidNumber      primaryGroupID